On Sunday, Mar 2, 2003, at 12:36 America/Montreal, Jeffrey Hutzelman wrote:
* architecture, section 3.1 (Host Keys)Each server host SHOULD have a host key. [...} If a host has keys at all, it MUST have at least one key using each REQUIRED public key algorithm (currently DSS [FIPS-186])How did these statements make it through? "MUST is for implementors"; we can't tell a server operator he must have a particular type of host key. We should instead be saying that implementations MUST support therequired algorithm
Wrong fix. If we ended up with more than one algorithm, your proposed fix might not support all algorithms concurrently due to lack of key storage space in an implementation. Implementations MUST be capable of having at least one key for each REQUIRED public key algorithm at any given time and MUST have some method for the user/operator to configure that key. Ran